c3b4cd987c
* chore: bump chromium in DEPS to 126.0.6470.0 * 5492605: Migrate TODOs referencing old crbug IDs to the new issue tracker IDs |5492605* 5513277: Move subresource-filter-ruleset to GCS |5513277* 5512656: Remove CustomizeChromeSupportsChromeRefresh2023 |5512656* 5516009: Accept mouse events in inactive window for Top Chrome WebUIs |5516009* 5376861: Change references to RWHVB in RWHIER and RenderWidgetTargeter to RWHVI. |5376861* 5490530: Use partition_alloc PA_BUILDFLAG(...) outside PA. #cleanup |5490530* 5296870: network: Allow trusted loaders to learn the sent request cookies. |5296870* 5453438: Delegate delegated ink trails to RWHI from RWHIER. |5453438* chore: update patches * chore: bump chromium in DEPS to 126.0.6472.0 * chore: bump chromium in DEPS to 126.0.6474.0 * chore: update patches * chore: bump chromium in DEPS to 126.0.6476.0 * chore: bump chromium in DEPS to 126.0.6478.0 * chore: bump chromium in DEPS to 126.0.6478.3 * chore: bump chromium in DEPS to 126.0.6478.8 * update patches * only disable enterprise_cloud_content_analysis * 5403888: [api] support v8::Data in v8::TracedReference and v8::EmbedderGraph5403888* chore: bump chromium in DEPS to 127.0.6484.0 * chore: bump chromium in DEPS to 127.0.6485.0 * 5539004: Use NOTREACHED_IN_MIGRATION() in remaining chrome/ |5539004* src: cast to v8::Value before using v8::EmbedderGraph::V8Node | https://github.com/nodejs/node/pull/52638/files * chore: update patches * chore: update v8 patches * chore: bump chromium in DEPS to 127.0.6486.0 * chore: bump chromium in DEPS to 127.0.6488.0 * chore: bump chromium in DEPS to 127.0.6490.0 * chore: bump chromium in DEPS to 127.0.6492.0 * chore: update patches For some reason, `feat_expose_raw_response_headers_from_urlloader.patch` got messed up in an earlier commit. * chore: update patches printing.patch was updated due to5535938* 5527572: Move Connectors prefs files to components/enterprise/connectors/5527572* chore: bump chromium in DEPS to 127.0.6494.0 * chore: bump chromium in DEPS to 127.0.6495.0 * chore: bump chromium in DEPS to 127.0.6496.0 * 5465511: [api] Mark v8::ObjectTemplate::SetAccessor(..) for deprecation5465511* chore: revert v8 deprecation See patch message for more details.5526611* chore: update patches * 5538771: Remove srcdoc else-if block in CalculateOrigin()5538771* 5522321: [devtools] Support saving base64 encoded files via host bindings5522321* 5376861: Change references to RWHVB in RWHIER and RenderWidgetTargeter to RWHVI.5376861* 5530163: [media] Use VideoFrame::Plane typed enum instead of nameless enum5530163* 5463431: iwa: Only create IsolatedWebAppURLLoaderFactory for subresources in IWAs5463431* fixup! 5465511: [api] Mark v8::ObjectTemplate::SetAccessor(..) for deprecation5465511* 5512176: Remove OnEnvironmentEstimationComplete()5512176* 5528282: Move Web Speech API .mojom files to //media/mojo/mojom5528282* 5513740: Reland "[Extensions] Restructure extensions::ProcessMap"5513740* 5483406: [PEPC] Make PEPC permission subscription take into account device status5483406* 5526034: [DoH] Remove kDnsOverHttps feature flag5526034The title is a bit misleading. They removed handling for the feature flag and generally intend to remove it but haven't yet. I only changed our code to address the flag that was removed. A quick search on GitHub for `DnsOverHttpsFallback` yielded a few results, but they were all C++ chromium code or patches, 0 app code or discussion results. Since I couldn't find any evidence of this flag being used in developer applications, I've chosen to exclude this change from the breaking changes docs. * chore: revert v8 removal5497515See patch message for more details. * chore: cherry-pick Node.js patch for V8 API removal fix Node.js PR: https://github.com/nodejs/node/pull/52996 V8 API Removal CL:5539888See the patch description for more details. * 5492183: Extensions: CodeHealth: Give enums some class5492183* fixup! 5528282: Move Web Speech API .mojom files to //media/mojo/mojom5528282* 5514687: Reland "Add a secret handshake to the base::Feature constructor"5514687* fixup! 5530163: [media] Use VideoFrame::Plane typed enum instead of nameless enum5530163* 5466238: PDF Viewer: add metrics to record if PDF is opened with a11y5466238* 5502081: Migrate OnDisplayRemoved to OnDisplaysRemoved5502081* 5539888: [api] Remove several APIs deprecated in version 12.65539888This commit essentially only removes the `only_terminate_in_safe_scope` isolate creation parameter. This undoes some work that was originally done in #35766. * 5498236: Make browser_tests force full async initialization for OSCrypt Async5498236* fixup! 5528282: Move Web Speech API .mojom files to //media/mojo/mojom5528282* 5545807: Migrate most remaining NOTREACHED()5545807I took a systematic approach to modifying all of our uses of `NOTREACHED` that were causing errors: * If there was a `return` or `break` (etc.) immediately after `NOTREACHED`, I removed the control flow instruction and left the `NOTREACHED` unmodified * All other instances were migrated to `NOTREACHED_IN_MIGRATION` We should revisit pretty much all usage of `NOTREACHED` as an upgrade follow-up item. * fixup! 5526034: [DoH] Remove kDnsOverHttps feature flag5526034Turns out the feature flags were removed in the `.cc` file, but not the `.h` feature list file. This means that the feature flags are pretty much officially gone. (The leftover symbols in the header are likely an oversight from what I can gather.) We may potentially decide to put this in the breaking changes doc if we decide this feature flag is important enough to highlight. * chore: bump chromium in DEPS to 127.0.6498.3 * chore: bump chromium in DEPS to 127.0.6500.0 * chore: bump chromium in DEPS to 127.0.6502.0 * chore: bump chromium in DEPS to 127.0.6504.0 * chore: bump chromium in DEPS to 127.0.6505.0 * chore: bump chromium in DEPS to 127.0.6508.0 * build: use Sha256Sum in script/sysroots.json Xref:5506275* chore: update chore_add_electron_deps_to_gitignores.patch Xref: no manual changes; patch applied with fuzz 2 * chore: update feat_allow_code_cache_in_custom_schemes.patch Xref: no manual changes; patch applied with fuzz 1 * chore: e patches all * fixup! build: use Sha256Sum in script/sysroots.json `sync` succeeds now * chore: replace absl::optional with std::optional Xref:5253843* chore: update CalculatePreferredSize() to new upstream semantics Xref:5459174Xref:5541220Xref:5514708Xref:5504212Xref: https://chromium-review.googlesource.com/516542 * chore: replace absl::optional with std::optional Xref:5296147* chore: add kPip to enumeration as a no-op5546257* [Autofill] Remove RenderFrame::ElementBoundsInWindow() Xref:5553982* chore: fix feat_add_streaming-protocol_registry_to_multibuffer_data_source.patch need new header to pick up definition of BLINK_PLATFORM_EXPORT macro Xref:5463143* chore: bump chromium in DEPS to 127.0.6510.0 * chore: update patches * chore: fix include path for native_web_keyboard_event.h Xref:5541976* chore: add currently-unused should_include_device_status arg to GetPermissionStatusForCurrentDocument() Xref:5545382* chore: bump chromium in DEPS to 127.0.6512.0 * chore: update mas_avoid_private_macos_api_usage.patch.patch No manual changes; patch applied with fuzz 1 * chore: update feat_add_streaming-protocol_registry_to_multibuffer_data_source.patch No manual changes; patch applied with fuzz 1 * chore: update webview_fullscreen.patch No manual changes; patch applied with fuzz 1 * chore=: remove cherry-pick-22db6918bac9.patch already present upstream * chore: remove nonexistent patchfiles from .patches * chore: remove cherry-pick-3e037e195e50.patch no longer needed; merged upstream * Update namespace for files moved to //components/input Xref:5563251* Require client for InitParams to always specify an ownership mode. Xref:5532482Xref:5578714* chore: e patches all * fixup! Update namespace for files moved to //components/input * chore: remove profile_keyed_service_factory, profile_selections from chromium_src already being linked in via chrome browser for printing * chore: bump chromium in DEPS to 127.0.6515.0 * chore: bump chromium in DEPS to 127.0.6516.0 * chore: update render_widget_host_view_base.patch Xref:5547803patch applied manually due to simple upstream shear * chore: update feat_allow_code_cache_in_custom_schemes.patch No manual changes; patch applied with fuzz 1 * chore: e patches all * Pull RWHIER and RWT to //content/common/input. Xref:5397681* chore: bump chromium in DEPS to 127.0.6517.0 * chore: update patches * fixup: Update namespace for files moved to //components/input * Remove 0-arg (default) constructor for views::Widget::InitParams.5578714* fixup: only disable enterprise_cloud_content_analysis The original commita5480accc2, was due to this CL 5527572: Move Connectors prefs files to components/enterprise/connectors/ |5527572* chore: bump chromium in DEPS to 127.0.6519.0 * chore: update patches * src: do not use deprecated V8 API https://github.com/nodejs/node/pull/53084 * src: remove dependency on wrapper-descriptor-based cpp heap https://github.com/nodejs/node/pull/53086 * 5344413: [DevTools] Add `getHostConfig` UI binding for sending status of `base::Features` to DevTools5344413* 5585788: Extensions: ManifestHandler: Separate Registry like ExtensionRegistry5585788* chore: update filenames.libcxx.gni * 5506857: Reland "Migrate clang-format to gcs first class deps"5506857* fixup: 5539888: [api] Remove several APIs deprecated in version 12.6 * fixup: 5506857: Reland Migrate clang-format to gcs first class deps * chore: bump chromium in DEPS to 127.0.6521.0 * chore: update patches * spec: update navigator.keyboard should lock the keyboard * Block or allow all MIDI using the existing SysEx permission Refs5154368Refs5499157* spec: update test/parallel/test-v8-stats * views: remove CalculatePreferredSize() Refs5504212* chore: update patches after rebase * 5560288: Re-enable ChromeOS XNNPack on Intel only5560288* chore: add nan patches for v8 changes Refs 5539888: [api] Remove several APIs deprecated in version 12.6 |5539888and 5539852: [heap][api] Remove deprecated v8::Isolate::IdleNotificationDeadline |5539852* 5573603: Modularize //chrome/browser/themes5573603* 5539888: [api] Remove several APIs deprecated in version 12.65539888* chore: update patches * test: fixup navigator.keyboard.lock on Windows * chore: remove unneeded profile target --------- Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com> Co-authored-by: Keeley Hammond <khammond@slack-corp.com> Co-authored-by: VerteDinde <vertedinde@electronjs.org> Co-authored-by: Jeremy Rose <nornagon@nornagon.net> Co-authored-by: clavin <clavin@electronjs.org> Co-authored-by: Charles Kerr <charles@charleskerr.com> Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com> Co-authored-by: John Kleinschmidt <jkleinsc@electronjs.org> Co-authored-by: deepak1556 <hop2deep@gmail.com>
121 lines
5.4 KiB
Diff
121 lines
5.4 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: deepak1556 <hop2deep@gmail.com>
|
|
Date: Wed, 28 Jun 2023 21:11:40 +0900
|
|
Subject: fix: harden blink::ScriptState::MaybeFrom
|
|
|
|
This is needed as side effect of https://chromium-review.googlesource.com/c/chromium/src/+/4609446
|
|
which now gets blink::ExecutionContext from blink::ScriptState
|
|
and there are isolate callbacks which get entered from Node.js
|
|
environment that has v8::Context not associated with blink::ScriptState.
|
|
Some examples are ModifyCodeGenerationFromStrings in node_bindings.cc,
|
|
blink::UseCounterCallback etc.
|
|
|
|
Without this patch when blink::ScriptState::MaybeFrom tries to extract
|
|
blink::ScriptState from the provided v8::Context and since Node.js has context
|
|
embedder data fields with index greater than blink (see node_context_data.h)
|
|
leading to the following CHECK failure.
|
|
|
|
```
|
|
script_state.h(169)] Security Check Failed: script_state
|
|
```
|
|
|
|
This patch adds a new tag in the context associated with ScriptState
|
|
to uniquely identify. It is based on what Node.js does to identify the
|
|
context created by it in `node_context_data.h`.
|
|
|
|
PS: We are not performing a check like
|
|
|
|
```
|
|
ScriptState* script_state =
|
|
static_cast<ScriptState*>(context->GetAlignedPointerFromEmbedderData(
|
|
kV8ContextPerContextDataIndex));
|
|
if (!script_state) {
|
|
return nullptr;
|
|
}
|
|
```
|
|
|
|
since in 32-bit builds which does not have v8 sandbox enabled unlike 64-bit builds,
|
|
the embedder data slot will not lazy initialize indexes in the former. This means
|
|
accessing uninitialized lower indexes can return garbage values that cannot be null checked.
|
|
Refer to v8::EmbedderDataSlot::store_aligned_pointer for context.
|
|
|
|
diff --git a/gin/public/gin_embedders.h b/gin/public/gin_embedders.h
|
|
index 8d7c5631fd8f1499c67384286f0e3c4037673b32..99b2e2f63be8a46c5546dd53bc9b05e8c54e857c 100644
|
|
--- a/gin/public/gin_embedders.h
|
|
+++ b/gin/public/gin_embedders.h
|
|
@@ -18,6 +18,8 @@ namespace gin {
|
|
enum GinEmbedder : uint16_t {
|
|
kEmbedderNativeGin,
|
|
kEmbedderBlink,
|
|
+ kEmbedderElectron,
|
|
+ kEmbedderBlinkTag,
|
|
kEmbedderPDFium,
|
|
kEmbedderFuchsia,
|
|
};
|
|
diff --git a/third_party/blink/renderer/platform/bindings/script_state.cc b/third_party/blink/renderer/platform/bindings/script_state.cc
|
|
index e4a27a24c83dd1a478b2ada8b6c8220076790791..c76dc818f38a62fff63852dbecbc85e304ac731d 100644
|
|
--- a/third_party/blink/renderer/platform/bindings/script_state.cc
|
|
+++ b/third_party/blink/renderer/platform/bindings/script_state.cc
|
|
@@ -13,6 +13,10 @@ namespace blink {
|
|
|
|
ScriptState::CreateCallback ScriptState::s_create_callback_ = nullptr;
|
|
|
|
+int const ScriptState::kScriptStateTag = 0x6e6f64;
|
|
+void* const ScriptState::kScriptStateTagPtr = const_cast<void*>(
|
|
+ static_cast<const void*>(&ScriptState::kScriptStateTag));
|
|
+
|
|
// static
|
|
void ScriptState::SetCreateCallback(CreateCallback create_callback) {
|
|
DCHECK(create_callback);
|
|
@@ -37,6 +41,8 @@ ScriptState::ScriptState(v8::Local<v8::Context> context,
|
|
DCHECK(world_);
|
|
context_.SetWeak(this, &OnV8ContextCollectedCallback);
|
|
context->SetAlignedPointerInEmbedderData(kV8ContextPerContextDataIndex, this);
|
|
+ context->SetAlignedPointerInEmbedderData(
|
|
+ kV8ContextPerContextDataTagIndex, ScriptState::kScriptStateTagPtr);
|
|
RendererResourceCoordinator::Get()->OnScriptStateCreated(this,
|
|
execution_context);
|
|
}
|
|
@@ -79,6 +85,8 @@ void ScriptState::DissociateContext() {
|
|
// Cut the reference from V8 context to ScriptState.
|
|
GetContext()->SetAlignedPointerInEmbedderData(kV8ContextPerContextDataIndex,
|
|
nullptr);
|
|
+ GetContext()->SetAlignedPointerInEmbedderData(
|
|
+ kV8ContextPerContextDataTagIndex, nullptr);
|
|
reference_from_v8_context_.Clear();
|
|
|
|
// Cut the reference from ScriptState to V8 context.
|
|
diff --git a/third_party/blink/renderer/platform/bindings/script_state.h b/third_party/blink/renderer/platform/bindings/script_state.h
|
|
index e9b16a9c71b9631222d0745428fea06be2e74472..aba4d930a9a45fb43e0aaac26af7df4fa07fc447 100644
|
|
--- a/third_party/blink/renderer/platform/bindings/script_state.h
|
|
+++ b/third_party/blink/renderer/platform/bindings/script_state.h
|
|
@@ -184,7 +184,12 @@ class PLATFORM_EXPORT ScriptState : public GarbageCollected<ScriptState> {
|
|
v8::Local<v8::Context> context) {
|
|
DCHECK(!context.IsEmpty());
|
|
if (context->GetNumberOfEmbedderDataFields() <=
|
|
- kV8ContextPerContextDataIndex) {
|
|
+ kV8ContextPerContextDataTagIndex) {
|
|
+ return nullptr;
|
|
+ }
|
|
+ if (context->GetAlignedPointerFromEmbedderData(
|
|
+ kV8ContextPerContextDataTagIndex) !=
|
|
+ ScriptState::kScriptStateTagPtr) {
|
|
return nullptr;
|
|
}
|
|
ScriptState* script_state =
|
|
@@ -251,9 +256,15 @@ class PLATFORM_EXPORT ScriptState : public GarbageCollected<ScriptState> {
|
|
static void SetCreateCallback(CreateCallback);
|
|
friend class ScriptStateImpl;
|
|
|
|
+ static void* const kScriptStateTagPtr;
|
|
+ static int const kScriptStateTag;
|
|
static constexpr int kV8ContextPerContextDataIndex =
|
|
static_cast<int>(gin::kPerContextDataStartIndex) +
|
|
static_cast<int>(gin::kEmbedderBlink);
|
|
+ static constexpr int kV8ContextPerContextDataTagIndex =
|
|
+ static_cast<int>(gin::kPerContextDataStartIndex) +
|
|
+ static_cast<int>(gin::kEmbedderBlink) +
|
|
+ static_cast<int>(gin::kEmbedderBlinkTag);
|
|
};
|
|
|
|
// ScriptStateProtectingContext keeps the context associated with the
|